GIVING BACK: Volunteerism in the IT security space

Jake Kouns

It can be easy to overlook the spirited volunteerism in the IT space, says Jake Kouns of the Open Security Foundation. Dan Kaplan reports.

Deb Hale is a system administrator who lives in Sioux City, Iowa. Each day, she commutes 20 minutes down Interstate 29 to her employer, a small internet service provider in Sergeant Bluff, where she oversees security and abuse.

In western Iowa, the 55-year-old is well isolated from the country's largest cities and technology hotbeds. But, in a sense, Hale's chosen place to live and work tells a lot about the internet and its decentralized nature. It also says a lot about how everyone, no matter their locale, plays a part in keeping the web secure.

“It is equally important that the internet maintain stability in Sergeant Bluff, Iowa, as it is in New York City,” she says. “Everything that hits the big guys, the large corporations, impacts us as well, and that's so important for people to understand.”

Hale is in a fortunate position to relay this message to others. For the past eight years, she has volunteered as an incident handler for the SANS Internet Storm Center (ISC). The ISC is a 10-year-old, all-volunteer effort that its director, Marcus Sachs, likens to the National Hurricane Center – a service tasked with monitoring the “conditions” of the internet and posting alerts about current threats around the clock. “We get a ton of stuff that comes to us, things that shouldn't come to us.” Sachs admits. “But they trust us not to say anything.”

Even in the face of the Great Recession, the ISC is just one of dozens of volunteer groups that exist within the still-burgeoning information security space. When at their best, the initiatives provide an outlet for very smart people to collaborate and share information in an array of subfields while, in the process, driving their for-profit counterparts to do better. What they lack in funding and profits, volunteer associations make up with energy, altruism, quick response times and, perhaps most importantly of all, autonomy, impartiality and trust, say those involved.

It is those latter three attributes that often matter most when one is talking about the delicacy of fighting off hacker attacks and defending sensitive corporate assets.

The Open Security Foundation (OSF) is another undertaking that leverages such traits to be successful. The organization's CEO and CFO is Jake Kouns, a 32-year-old married father of two children whose day job is senior director of technology at Markel Corp., a major insurance holding company. OSF was incorporated in 2004 as a 501(c)(3) nonprofit.

“When we decided to create a nonprofit organization, we decided to think large,” Kouns recalls. “Let's start a broader organization that can support multiple projects.”

Today, OSF consists of two endeavors – DataLossDB, an exhaustive and searchable database that documents breaches worldwide and provides statistics that enterprises can use to make risk-management decisions, Kouns explains. A security leader, for example, might present information culled from the database to persuade senior management to invest in laptop encryption.

The other effort is OSVDB, or the Open Source Vulnerability Database, another searchable repository that chronicles security issues in hardware and software. The goal is to empower engineers to write more secure code, Kouns says.

Both are free.

When describing the work OSF does on a daily basis, Kouns often talks about the greater good.

“If we turned completely corporate, there would be an inherent distrust,” Kouns said recently in an interview with this writer at the RSA Conference in San Francisco. “If you get too in bed with someone, they're going to be like, ‘These guys are out to help them.' All we're trying to do is improve the security posture for anyone and not require large sums of money.”

Security is still a very immature field, he adds. “That's why you're getting so many people in the security space who have an interest. We see all these things that could be done differently. Volunteering is a platform to improve things without getting into a security company and changing the bureaucracy of that organization.”

Wade Baker, director of risk intelligence at Verizon Business, the company that distributes arguably the most comprehensive annual report on data breach investigations, says groups such as OSF can uniquely position themselves.

“Verizon wouldn't let me report a breach naming a certain company,” he says. Instead, Verizon can use its assets in a different way – to respond to incidents and help breached organizations (and readers of the report) make sense of what happened, he says.

But as much as Kouns steadfastly believes in the OSF project, he is not afraid to paint the dark side of charity work. The time-consuming dedication that the effort requires mostly is what brought him to the RSA show this year, where he sought out additional licensing agreements, sponsors and even government funding. He describes much of his team as in “burnout mode” and says the only way to survive will be to hire a few salaried employees to maintain the projects.

“Since 2002, of the hundreds or thousands of volunteers who said they're going to work, it's come down to five or 10 people who've done the bulk of the work,” he says. “I think a lot of people, they love the site and they'd love to do it, but it's putting in time. The reality is once you leave your day job, you're tired.”

Shadowserver Foundation

Another 501(c)(3), the Shadowserver Foundation leverages its similarly small team of volunteers to capture and analyze malware on the internet. Using a global army of honeypots and contributions, the 12-member group is capable of collecting and studying some 250,000 malware samples each day.

But Shadowserver's main contribution to the cybercrime fight may be its insight into the rampant botnet scourge, as well as the command-and-control servers that provide instructions to these networks of compromised computers. In fact, the groups' research played an integral role in stopping the spread of the insidious Conficker worm last year.

Subscribers to Shadowserver – researchers, operators, corporations – can sign up for nightly reports that detail if their networks are trafficking malicious communication.

“It's almost like having two full-time jobs for me now,” says André DiMino, the organization's founder and director. “We're always constantly staying cutting-edge of what's happening out there.”

DiMino, who spends his days as a digital forensic investigator for a law enforcement agency, says that while the workload can be heavy, it is rewarding – and few on the team are complaining.

“Our philosophy is that data about infected networks ultimately belongs to that infected network,” he says.

“Security has a certain urgency to it,” DiMino adds. “If folks on an ISP have significant infection with a keylogger that is capturing data and stealing identities, there needs to be a community effort to not only report it and take it down – but also to study it.”

Rick Howard (left), intelligence director for VeriSign iDefense Security Intelligence Services, says a group like Shadowserver can cater to some of the smaller end-user outfits, the ones that cannot afford to pay a company like VeriSign for reports that may overwhelm them.

“Security people have a real inclination to share data,” he says. “They're not in it for the money. They're in it because they're providing services to the nation.”

Law enforcement agnostic

Most agree that information sharing is a key weapon to winning the cybercrime fight – after all, sharing of intelligence is exactly how the crooks hone their craft. However, there is a natural reluctance among enterprises to disclose information to law enforcement.

Enter the National Cyber Forensics and Training Alliance (NCFTA) whose mission is to “identify, mitigate and neutralize,” says Ron Plesco, president and CEO.

The Pittsburgh-based nonprofit exists to identify cybercrime threats, namely how they are playing out and who is behind them. The NCFTA then shares that information with its Fortune 500 partners and law enforcement peers, anonymously, with the goal of mitigating the threat.

“Industry is reluctant to share information with law enforcement without a court order,” Plesco says. “We consider ourselves law enforcement agnostic. [Businesses] use us as a trusted outlet to let us know what they're seeing.”

Armed with that visibility, the NCFTA can funnel valuable information to others.

“We're getting information related to threats as it happens to our partner corporations and then using that information to determine who's doing it and how they're doing it,” he says. “We're just a facilitator of information. We're not trying to hunt anyone down.”

Many times, though, criminals confuse the NCFTA's efforts with those of law enforcement, who are truly out to prosecute the web's miscreants. Plesco and his family have been threatened on various internet forums over the years. But he views the disdain as flattery.

“It makes us believe we're being effective, if that's the level of response,” he says.

Support problems that groups like Open Security Foundation face are not an issue at the NCFTA. The organization is a bigger operation than most nonprofits within information security. In fact, 19 of its 37 members receive salaries.

Dragon Research Group

One of IT security's newest philanthropic endeavors is an offshoot of Team Cymru (pronounced kum-ree), a 501(c)(3) based in Chicago. Selected volunteers of the Dragon Research Group (DRG), as the initiative is called, must undergo a rigorous vetting process before they can participate. The goal of the group is simple: Assimilate and interpret data trends collected by a network of custom-built, Linux-based Live CDs, known as DRG Distros, designed to monitor malicious internet activity. So-called “pod partners” agree to install the technology on their corporate networks and share the results. In return, they receive access to the overall findings of the group.

“The vision is eventually we'll have enough deployed in enough interesting locations that we'll see trends and occurrences across geographies and IP addresses,” says Dave Dobrotka, the lead DRG manager who works full time as associate director of information security for a Fortune 500 accounting firm. “The attack vectors are so varied. The methods the bad actors use to deliver their wares are so much more varied and sophisticated.”

What makes DRG such an appealing idea is that for people to help, they do not need to exert much effort. Simply install the technology on their networks and – voila – they are helping to rid the internet of malware, Dobrotka says.

“Having this kind of intelligence would be costly to do internally,” says Steve Santorelli, director of Team Cymru's global outreach team. “It wouldn't really lend any value to the company because there's no sharing. When a volunteer group does it, you essentially get it for free and everyone gets to benefit.”

Pushing ahead

Most of the IT security practitioners interviewed for this story tended to shy away from counterinsurgency as a reason for their volunteerism – perhaps because such an emotion is rooted in vengefulness, instead of selfless aid. Still, some did address how they believe their actions can help take back the internet.

“The internet is such a useful tool, and the way it's been exploited, the fact that it's being used more now for bad than good, kind of just makes it easy to want to volunteer,” Dobrotka says. “I'd like to do my part to restore the balance in that regard.”

That is a sentiment echoed by Hale, the SANS Internet Storm Center's first female incident handler (and its first grandmother, as she likes to point out). “I'm very concerned about the direction I see the internet taking,” Hale says. “I'd like to see some of the fragilities of the internet taken care of.”

What everyone seems to agree on is that corporatization of these open-handed endeavors would be the death knell. “We can be perfectly open and honest and tell it like it is,” Hale says.

That is part of the reason why so many other groups have formed, such as the Anti-Phishing Working Group and Spamhaus, two outfits that have been successful in their crusade to eliminate and shame junk and malicious emailers. Or the Identity Theft Resource Center, which provides resources for victims of fraud.

“There are a lot of different angles to security,” Dobrotka says. “All of these volunteer groups have a specific focus and some need.”

But Kouns realizes volunteerism is a thankless activity.

“People don't tell you so much when you're doing a great job,” he says. But he knows the community relies on OSF. “Let's say the six of us didn't do it for three weeks,” Kouns says. “Then the data is stale and are we really empowering those risk management decisions? For us, if you want to keep up with things and provide detailed current and unbiased technical security information, it's a daily event.”

In other words, if OSF were to shut its doors tomorrow, people would come knocking. Or, more likely, considering the crowd it caters to, they would start emailing.